​Google becomes its own Root Certificate Authority

Google is stepping up its involvement in web security, acquiring several root certificates so that it can issue digital (SSL/TLS) certificates itself rather than rely on third-party firms.

From today on, any develop who wishes to connect to a Google service will need to two root certificates specified by Google. The search giant and the world's most popular website is also now its own root certificate authority (CA).

Google says the reason it’s established its root certificate authority (CA) is because it believes HTTPS, a protocol that encrypts communications between users and websites, is key to the future of a more secure web.

“As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology. This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority,” Ryan Hurst, a security and privacy engineer at Google, said in a blog post.

Google has created a new company called Google Trust Services (GTS) LLC, which operates its own certificate authorities on behalf of Google and its parent company, Alphabet. GTS now oversees all of Google’s public key infrastructure and the issuance of digital security certificates.

While it will allow Google to accelerate the move to HTTPS for its own products, it also gives it fuller control over certificates for Google domains, enabling it to revoke them if necessary. Google will, for example, oversee the process of validating private encryption keys held by website operators that are seeking a certificate. Should anyone try to get a certificate for a Google domain, it could deny the application.

Google has in the past reacted strongly to rogue and error-prone CA’s that have issued certificates for Google domains, which allowed certificate holders to spoof its sites and intercept user communications.

It follows a recently discovered blunder by Symantec, one of the largest CAs, in issuing several certificates to domains without the domain owner’s knowledge.

Google last year also threatened to distrust Symantec-issued certificates in Chrome after it wrongly issued certificates for several Google domains. Had Google followed through with the threat, sites that used Symantec’s certificates would have been flagged as not safe.

On several occasions CAs have given cause for distrust in their role in securing the web. Mozilla, the maker of Firefox, last year distrusted Chinese CA WoSign, for dubious behavior and before that distrusted Chinese government CA, CNNIC, for issuing certificates that undermined trust.

“You can now have a website secured by a certificate issued by a Google CA, hosted on Google web infrastructure, with a domain registered using Google Domains, resolved using Google Public DNS, going over Google Fiber, in Google Chrome on a Google Chromebook. Google has officially vertically integrated the Internet,” wrote one user.

On the other hand, what other company is better placed to verify Google domains than Google?

“Instead of a third-party you trust (or rather, your user-agent trusts) vouching that Google's indeed Google, it's now Google vouching for itself, and you trust them by the virtue that they're Google. This ought not be surprising: presumably, who better to say that Google is indeed Google than Google itself?”

To launch its new certificate authority, Google acquired several root certificates from GMO GlobalSign last August and took full control of them in December. It’s now published them on its own site.

- Held in a city near you | Across 6 cities with 20 exhibitors and star studded speaker line up including Mark Loveless 'Simple Nomad', Jeff Lanza, former FBI Agent, exclusive speakers from Interpol and a former ex-Lulzsec member, along with 15 top level Industry speakers per state - view speakers now for lineup.

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.